bluescan: A powerful Bluetooth scanner

The bluescan it is a project open sourced by Sourcell Xu of the DBAPP team Security HatLab. 

When violating new Bluetooth targets, the scanner can help us gather information, such as:

• BR devices
• LE devices
• LMP features
• GATT services
• SDP services
• Vulnerabilities

System requirements

This tool is based on BlueZ, the official Bluetooth stack of Linux. The following packages must be installed:

sudo apt install libglib2.0-dev libbluetooth-dev

Installation

sudo pip3 install bluescan

Use

$ bluescan -h
bluescan v0.1.1

A powerful Bluetooth scanner.

Author: Sourcell Xu from DBAPP Security HatLab.

License: GPL-3.0

Usage:
    bluescan (-h | --help)
    bluescan (-v | --version)
    bluescan [-i ] -m br [--inquiry-len=] bluescan [-i ] -m lmp BD_ADDR bluescan [-i ] -m sdp BD_ADDR bluescan [-i ] -m le [--timeout=] [--le-scan-type=] [--sort=] bluescan [-i ] -m gatt [--include-descriptor] --addr-type= BD_ADDR bluescan [-i ] -m vuln --addr-type=br BD_ADDR

Arguments:
    BD_ADDR    Target Bluetooth device address

Options:
    -h, --help                  Display this help
    -v, --version               Show the version
    -i                    HCI device for scan [default: hci0] -m                    Scan mode, support BR, LE, LMP, SDP, GATT and vuln
    --inquiry-len=           Inquiry_Length parameter of HCI_Inquiry command [default: 8] --timeout=             Duration of LE scan [default: 10] --le-scan-type=       Active or passive scan for LE scan [default: active] --sort=                Sort the discovered devices by key, only support RSSI now [default: rssi] --include-descriptor Fetch descriptor information --addr-type=          Public, random or BR

Scanning BR devices -m br

Classic Bluetooth devices may use three technologies: BR (Basic Rate), EDR (Enhanced Data Rate) and AMP (Alternate MAC / PHY). Since they all belong to the Basic Rate system, we call them BR scanners:

 

As shown above, by scanning BR devices, we can obtain the address, name, device type and RSSI of the surrounding classic Bluetooth devices.

Scanning devices LE -m le

Bluetooth technology, in addition to the Basic Rate system, also has the low power system (LE). Scanning low power Bluetooth devices is called LE device scan:

As shown above, by scanning LE devices, we can obtain the address, address type, connection status, RSSI, and GAP data of the surrounding LE devices.

SDP scanning services

Classic Bluetooth devices inform the outside world about their open services via SDP. After scanning SDP, we can receive the service data of this classic Bluetooth device:

You can try to connect to these services for further benefits.

LMP scan functions

Detecting the LMP functions of classic Bluetooth devices allows us to judge the basic security features of the classic Bluetooth device:

 

Scanning GATT services

LE devices inform the outside world about their open services through GATT. After scanning the GATT, we can receive the GATT service of the specified LE device. You can try to keep the GATT data for further breaches:

Vulnerability Scan (Demo)

The vulnerability scan is still in the demonstration phase and currently only supports CVE-2017-0785:

$ sudo bluescan -m vuln --addr-type = br ??: ??: ??: ??: ??: ?? ... ... CVE-2017-0785

 

You can download the program from here.